Monthly Archives: May 2018

There are Red Sox and White Sox and, of course, Fox in Socks, but in 2002, a new SOX entered our lexicon: The Sarbanes-Oxley Act of 2002. This financial regulation was a response to large corporate misdeeds at the time, most notably Enron misleading its board through poor accounting practices and financial oversight.

The regulation seeks to ensure accurate and reliable financial reporting for public companies in the United States. But what does financial reporting have to do with IT?

A lot, it turns out, since it’s no longer en vogue to have scribes with long feather quills scribbling out numbers in giant paper books. Unfortunately for the quill, ink and abacus peddlers of the world (and fortunately for the auditors), financial systems are now the domain of servers and databases running large ERP applications.

The section of SOX that most affects IT is section 404. It requires “Management Assessment of Internal Controls,” which is a tiny portion of the bill but a huge part of any audit. The reason for this is that an auditor wants to assure the effectiveness of internal controls with regard to the financial systems and processes.

In practical IT terms, this means they want to know that data flowing through the system can’t be tampered with and controls are in place to manage risk to that data.

Some primary control areas are:

• Change Management
• Access Management – physical and logical
  
• Disaster Recovery (backups, business continuity)
  
• Automated Processes (scheduled jobs)

While auditors will be concerned with policy and process, they will also want to see evidence of those policies and processes at work. A great example is change management; change should be authorized, implemented by an appropriate person, tested and deployed into production.

Each part of the process is to ensure that change does not introduce undue risk into the financial system, and any problems are easily rectified or rolled back. An auditor will look for evidence that this process is occurring, which can mean IT staff needs to produce service desk tickets, approvals, and change reports.

And by the way, the auditors will be grabbing a sample set from ALL changes, not just one so be prepared to produce a lot of documentation. This is only one area of the IT controls, so these audits can mean a lot of work for IT staff that isn’t part of core IT operations but is very important to the business as a whole.

Easing the Audit Burden

Like painting the Golden Gate Bridge, SOX audits never end. Controls must operate continuously throughout the year, and an auditor needs to see that change or access management in January is also operating in all the other months, so be prepared to pull evidence on a regular basis.

While the audits produce a yearly report, it is not uncommon to have audit-related activities throughout the year. This can put a lot of stress on an already-stressed IT staff. One key to reducing that load is automation – any control that can both be automated and generate auditor-friendly reports is a big win for IT and the auditor.

For a system like Active Directory, database servers or applications with a common database backend, it’s relatively easy to check for change and report on those changes using a tool like Tripwire Enterprise. As an added security benefit, add alerting for critical systems whenever a user is added or privileges elevated.

When an auditor requests a sample of the active and terminated users, a monitoring tool can corroborate access controls, and if your organization happens to use an ITSM tool like ServiceNow or Jira, it’s possible to demonstrate end-to-end change management from request all the way to completion. No more digging through email or ticketing systems!

The same is true of application changes. Auditors want to ensure that changes to applications and processes followed proper change control, and once again FIM is your friend. By being able to report change all the way through the system with simple reports, it’s easy for an auditor to get comfortable with an organization’s change controls. Those same controls provide security and operational assurance aside from an audit, as it’s important to know what changed, when, and whether the change was authorized.

While it’s one thing to have all the controls and tools in place, it’s another to have a security analyst manage them. Reports do take time from other duties, even if they are at the ready and there are many other things to do on any given day. It’s possible that an admin isn’t available to run the tools even if automation sounds like a great idea.

In that case, a managed service may be worth looking into. It reduces the total cost of ownership (TCO) and frees up time for security professionals to focus on other projects. Tripwire ExpertOps has the compliance experience to help organizations through audits, including SOX.

Clean SOX

It may seem like one more thing to have to do, but compliance actually provides security and operational benefits if approached with the right attitude. Applying the CIS top 20 Critical Security Controls will get you a long way toward compliance, as well as preventing a vast majority of cyber-attacks. Good, mature change management processes ensure quality updates with less downtime, and being able to prove your work is a great test that controls are operational.

SOX compliance itself helps ensure the public has access to reliable financial information and is itself a preventative control against fraud. Having a clean SOX report is a great way to know that the controls your organization has put in place have been validated by a trusted third party and any areas of weakness or gaps can now be remediated. Rather than an onerous obligation, consider your audits health checks on your environment and use them for operational and security improvements.

via:  tripwire

There is a peculiar pattern that I have noticed among elites in the United States outside Silicon Valley, which is the almost boastful ignorance of technology. As my colleague Jon Shieber pointed out, you can see that ignorance among congressmen throughout the whole Facebook/Cambridge Analytica saga. Our president has rarely sent an email, and seems to confine his mobile phone activities to Twitter. One senior policymaker told me a few months ago that she doesn’t know how to turn on her computer.

Such a pattern is hardly unique to politics though. Hang out with enough business executives, lawyers, doctors, or consultants, and you will hear the inevitable “I don’t really do the computer,” with an air of detached disdain.

Yet it isn’t just the technical challenges that this class avoids, but anything to do with implementation in general. In the policy world, wonks spend decades debating the finer points of healthcare and social spending, only to be wholly ignorant at how their decisions are actually implemented into code. There is an elitism in policy between those who make the decisions and those who implement them, just as much as there is a social distinction between corporate executives and the people who have to carry out their directives.

In many ways, this disdain for the technical mirrors the disdain for math, where the phrase “I’m not a math person” has become sufficiently ubiquitous in the U.S. as to be covered regularly in the press. Being bad at math is a way to signal that someone isn’t one of the worker bees who actually have to care about calculations — they just read the reports prepared by others.

Yet, that ignorance of technology is increasingly untenable. Decisions are only as good as the implementation that results. Marketing isn’t a plan, it’s a system of feedback loops from the market that need to be adjusted in real-time. It’s one thing for politicians to sign a bill into law, but another to ensure that the bill’s intentions are actually encoded into the software that powers government.

The gap between decision and implementations was at the core of a conversation I had this past week with Jennifer Pahlka, who founded and heads Code for America, a nonprofit whose mission is to bridge the divide between government and technologists.

To show how far a policy and its implementation can be, she pointed me to Proposition 47 in California. That initiative, which was passed by voters in 2014, was designed to allow individuals to retroactively expunge or reclassify certain nonviolent felonies to misdemeanors, allowing individuals to become eligible again to work, vote, and receive some government benefits.

Yet, several years after the approval of Prop 47, a single digit percentage of eligible people have taken advantage of the program. The reason is classic government: incredibly convoluted paperwork, which is exponentially worse since every one of California’s 58 counties has to implement the program independently. “If you are a voter and you voted for a specific referendum,” Palhka explained, then you expect a certain outcome. But, “if none of the benefits that you expected to change” materialized, then cynicism mounts quickly.

To help bridge the gap, Code for America launched Clear My Record, a service designed to automate many of the steps involved in the Prop 47 process and make it more accessible. It’s just one of a bunch of services that the group has launched to improve government services ranging from food assistance through GetCalFresh to improving case manager communication through ClientComm.

Palhka’s mission isn’t to just offer point solutions for specific government programs, but to completely overhaul the latent anti-tech culture of government officials. “Digital competence is core to successful government,” she explained, and yet, “If you are a powerful person, you don’t have to understand how the digital world works … but what we are saying is that you do have to care.” Her goal is straightforward: “how do you get policy, operations, and tech to all work together?”

While Palhka and her organization focuses on the public sector, their framework is perhaps even more important to the private sector. There isn’t a company today that can survive without technical leadership in the C-suite, and yet, we still see an astonishing lack of awareness about the internet and its potential from corporate executives. Software increasingly intermediates all relationships with customers, whether though digital commerce or enterprise services. If the software is bad, no amount of decision-making in a mahogany-paneled board room is going to change it.

The good news is that ignorance has an easy solution: education. The computer is not some mystery box. It’s well-documented, and all kinds of resources are available to learn how they work and how to think about their capabilities and nuances. If someone can run a multinational company, they can probably ask smart questions about algorithms or machine learning even if they don’t realistically implement the linear algebra themselves.

CEOs, senators, and other leaders are synthesizers — they rely on staff to handle the details so they can focus on strategy. We would never trust a CEO who brushed off an accountant by saying “I don’t do cash flows,” and we shouldn’t trust a CEO who doesn’t understand how the internet works. Changing times require adaptable leaders, and today those leaders need tech literacy just as much as our grade-school children do. It’s the only way leadership can move forward today.

via:  techcrunch

Last October, Google launched its Advanced Protection Program for users who want to ensure the highest degree of protection for the data they store in services like Gmail, Google Calendar and Drive. Users who need that kind of protection can opt into this program, but, in return, they have to use security keys for the two-step verification and can only access their Google data from Google’s own web and mobile apps.

Google is opening up this last restriction a bit by allowing access through Apple’s own native iOS apps like Mail, Calendar and Contacts. Users in the Advanced Protection program can now choose to give those apps access to their data, too.

“Our goal is to make sure that any user-facing an increased risk of online attacks enrolls in the Advanced Protection Program,” Dario Salice, Google’s product manager for this services, writes. “Today, we’ve made it easier for our iOS users to be in the program, and we’ll continue our work to make the program more easily accessible to users around the globe.”

Like before, the program is meant mostly for those users who are most likely to become the victim of a sophisticated attack, including journalists, activists, politicians and business leaders. By supporting Apple’s own native apps, the service will likely be attractive to a wider audience now. For some reason, not everybody loves Google’s own mobile apps, after all.

via:  techcrunch

If there is one thing that executives and managers never want to disrupt it would be productivity.

As most managers know, productivity is the ability to make use of resources while producing profitable goods and services. Put another way that means, are you producing enough profitable outputs given your resource inputs? The measure of productivity is the assessment of a company’s performance and can be used to gauge how efficient the business is.

When productivity is high so too is profitability. The importance of productivity is that it is an active means of gauging the effectiveness of an organization’s operations to produce profits. Profits are the end result of productivity. It comes as no surprise that managers at all levels of the organization do not want to decrease productivity.

One problem that often develops as a result of the pressure to increase productivity is forsaking security for perceived efficiency gains. Managers often view security as an obstacle to increasing productivity. The perception seems to be that increasing security measures will get in the way of people’s ability to get their job done. While it is fairly easy to see how they came to that conclusion, it is simply not true. The reality is much better actually, companies can integrate security into their business process improvement frameworks. Allowing managers to not just eliminate waste but to enhance security as well.

Where the Does Pressure for Productivity Come From?

The drive for perpetually increasing productivity comes from the sources of profits for companies, costs reductions and revenues.

When a company reduces their wasteful costs they are able to increase saving which in turn increases their profits. Additionally reducing waste can lead to a more streamlined production process and optimized operations. This can yield either a higher quantity of product or a better quality of product/service. The role of managers is to boost productivity in order to increase profitability. This is the expectation of shareholders and the Board of Directors. Outside of the organization you have competition who are constantly seeking to deliver similar value but better and faster. Not to mention technological advances that are creating new business models that can render a production process obsolete. The pressure a manager faces is enormous.

In recent years their troubles have only intensified as information technology has redefined what security means for many businesses. While increasing productivity is a reasonable goal, sacrificing security is just reckless. If an organization suffers from a data breach then all their efforts into boosting productivity are rendered obsolete. Now there is a public backlash, lost sales, reduced brand equity, lawsuits, and overall decreases in profitability. Managers place their organizations under a ton of risk by ignoring cyber security.

Common Business Process Improvement Frameworks

When trying to improve productivity managers often turn to business process improvement frameworks such as Lean, Six Sigma, Kaizen, or Process Reengineering. These frameworks often have the goal of waste elimination and utilizing labor and assets in the most efficient ways possible.

For example with the Lean process improvement framework managers are supposed to follow the following five principles: (1) determine perceived value of output, (2) identify the value stream, (3) reduce large batch processing, (4) develop demand-pull activation, and (5) continuous improvement. Six Sigma is focused on quality improvement and sets a goal to reduce errors down to nearly zero. Kaizen is a more incremental approach until efficiency goals are achieved. Kaizen works best with repetitive tasks. Process reengineering is a general approach that seeks to redevelop end to end processes to become more efficient. The goal is to eliminate unnecessary steps, reduce hands-off, reduce errors, and boost cycle times.

In each one of these process frameworks, take notice of something. Security is not mentioned or highlighted anywhere. Instead it would be up to the manager to understand the need for cyber security and develop an innovative way to integrate it. This is a problem because these are just a sample of the popular approaches that managers use to make their operations more productive and efficient. Thankfully in the development of a process or operation there is a security design philosophy that blends well with these frameworks.

Integrating Security-by-Design Principles

Security by Design is a set of principles that works with the design of a product or process to secure the data as a core part of the development, rather than being a retroactive feature. In the context of security, a quality process will be as secure as possible from the start. Data security’s core principles are confidentiality, integrity, and availability. The security-by-design framework was built on these three pillars. The security by design principles include the following:

PRINCIPLE OF LEAST PRIVILEGE

Ensure that access to information is limited and only done on a need-to-know basis. Users need to operate on a minimal amount of privileges. This principle should apply without discrimination regardless of title. Meaning the CMO should only access what they need to access and nothing more, no different than the new hire in Payroll.

FAIL SAFELY

You should design sub-processes to ensure that even in a failed state, the main system remains unexposed to threat. This can be considered part of developing a continuity plan. The goal is to ensure that your organization can still operate with each process well, even if your technology is offline. Fedex had to do this during the NotPetya outbreak where their IT systems failed globally, but they were able to continue operation.

SIMPLICITY

Security is about control and protection, which becomes harder the more complex a system is. Ensure that information systems provide only exactly what is needed in a way that allows for productivity to proceed without bottlenecks. The more complex a system (features, plugins, integrations etc.) is the more exposed it becomes to threat and bypass. The more simple a system, the easier oversight and control of it becomes.

DON’T ACCEPT OBSCURITY

Systems dependent on secrecy often will be exposed or rendered obsolete. Do not aim to be secure by secrecy. Division of data on servers, will help better than keeping secret files which are likely to get exposed during a cyber attack.

PSYCHOLOGICAL ACCEPTABILITY

Security needs to be integrated with an operations process and not a hindrance to the continuation of work. For this reason ensure that your security system is user-centric in the sense that it takes into account what their job is and what too much added work will do to their motivation to participate. If this critical people component is not taken into account the exposure to insider threat rises for your organization from negligence and frustration. This is at the heart of maintaining productivity.

LAYERING DEFENSES

Do not rely on just one mode of defense and any mode is subject to bypass. Security in people’s behaviors are just as important as the supporting technology, it is the first line of defense. You should embed at least two mitigation strategies in the event of a breach to ensure that information data is not accessed by outsiders. Most of these will be passive and unnoticeable to users on the network.

Where to Integrate Them Into The Frameworks

For each security by design principle you should seek to include them in each phase if possible. The principles really do blend well with the process redesign frameworks, you do not have to apply each and every single principle at the same time, but do try to apply as many as you can into your process redesign. The most important when it comes to productivity is to ensure the process is psychologically acceptable. It is also important to realize that you need to design a secure process first and then consider what technology will be applicable later. Technology needs to be implemented only after root causes are identified.

If you implement technology on top of an as-is process, you will only add more complexity and reduce productivity. At its heart process design is the effort of creating repetition. So design the process first, ensure that it is both secure and efficient. Then integrate new technologies.

via:  tripwire

Phishers are using scam emails that leverage the European Union’s General Data Protection Regulation (GDPR) as a theme in an attempt to steal users’ information, a security firm found.

Researchers at managed threat detection solutions provider RedScan came across one such phishing message that appeared to originate from Airbnb. The scam email, which came from the fake domain “@mail.airbnb.work” as opposed to the legitimate “@airbnb.com,” addressed the recipient as an Airbnb host and said they could not accept new bookings or send messages until they agreed to a new Privacy Policy that reflects changes introduced by GDPR. As quoted by ZDNet, the message read as follows:

This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies, like Airbnb in order to protect European citizens and companies.

Fake Airbnb privacy email. (Source: Redscan)

When clicked, the link redirected recipients to a page that asked them to enter their account credentials, payment card details and other personal information.

ZDNet confirmed that Airbnb is sending messages to hosts about GDPR but that it’s simply asking them to agree to new Terms of Service. Those real messages did not ask hosts to submit their credentials. As a result, the community-drive hospitality company made clear that users who receive suspicious emails should submit them to its Trust and Safety team.

Mark Nicholls, director of cyber security at Redscan, told ZDNet that web users are likely to see other types of attacks leveraging GDPR as a theme in the meantime:

As we get closer to the GDPR implementation deadline, I think we can expect to see a lot a lot more of these types of phishing scams over the next few weeks, that’s for sure. In the case of the Airbnb scam email, hackers were attempting to harvest credentials. Attack vectors do vary however and it’s possible that other attacks may attempt to infect hosts with keyloggers or ransomware, for example

To protect themselves against these types of attacks, users should familiarize themselves with some of the most common types of phishing attacks and implement steps to prevent a ransomware infection.

UPDATE 02/05/18: Following publication of this story, a public affairs manager for Airbnb reached out to this author with the request that the following statement be shared:

These emails are a brazen attempt at using our trusted brand to try and steal user’s details, and have nothing to do with Airbnb. We’d encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on report.phishing@airbnb.com, who will fully investigate. We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites.

The statement went on to assure users that bad actors never had access to their details before sending out the messages. It also recommended that users could confirm the legitimacy of an Airbnb email by checking the sender’s email address against this list of official aliases used by the company and by hovering over a URL to see if they would be redirected to a subdomain operated by Airbnb.com.

via:  tripwire

Yes, it’s that time again — password changing time. On Thursday, Twitter revealed that a bug caused the platform to store user passwords in unmasked form. Normally, sensitive personal data like passwords would be stored in hashed form using a mix of letters and numbers to protect the content of the password itself. In this instance, it sounds like Twitter stored plain text passwords openly without any hashing on an internal log.

Twitter notes that it currently has “no reason to believe password information ever left Twitter’s system” or that these unprotected passwords were accessed by hackers, but the risk of the unknown remains. The company has advised users to change their passwords as a precautionary measure.

Here’s what Twitter says happened:

We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.

Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.

We’ve reached out to Twitter for more details on the bug and additional information about how this could have happened. Update: Twitter declined to provide additional technical details on the incident but emphasized that is believes the likelihood that the passwords were discoverable is “extremely low” and an internal investigation has revealed no indications of a breach or other misuse.

It’s pretty unusual for a company of this size to make such a basic security mistake, but that’s just another reason for users to take password protection into their own hands. Now is the perfect time to start using two-factor authentication and a password manager like LastPass or 1Password to keep your account credentials safe even when the platforms you use fail to do so.

via:  techcrunch

Microsoft of Monday made Windows 10 April 2018 Update available to users, which brings new features, enhancements and security updates, along with improvements to Windows Defender Security Center.

One of the main changes in the update is the availability of Windows Defender Application Guard (WDAG), which allows users to browse the Internet while being protected from sophisticated browser attacks.

First detailed in January last year, Windows Defender Security Center is receiving various enhancements to provide increased ease-of-use. The Center was designed to simplify the manner in which users view and control the security protections the platform, as well as to help people better understand and leverage the security features protecting them.

With the release of Windows 10 April 2018 Update, the Security Center offers quick access from the context menu when right-clicking on the Windows Defender Security Center icon in the notification area. This menu allows users run a quick scan, update Windows Defender Antivirus definitions, change the notifications, and open the Security Center.

Now, users can also take advantage of the Account Protection pillar in Windows Defender Security Center, which makes it easier for them to protect their identity when signing into Windows. The feature encourages local account users to connect a Microsoft Account (MSA) and password users to set up Windows Hello Face, Fingerprint or PIN for faster and more secure sign in.

Additionally, Dynamic lock now leverages the alerting system in Windows Defender Security Center to inform users when it has stopped working because the Bluetooth on their phone or device is off, Microsoft announced.

A Device Security pillar in the Security Center now delivers greater insight into the security features integrated in Windows devices. There, users can access status reporting, can manage security features built into their devices, and can also toggle features on for enhanced protections.

The update also brings along additional options for how notifications are delivered. Users can now customize the type of notifications they receive from Windows Defender Security Center, can disable or enable notifications about recent, automatic scans or about threats or files that have been blocked.

With the April 2018 update, Microsoft is also enabling Windows 10 in S mode on both Windows 10 Home and Pro PCs. In addition to flexibility and increased performance, Windows 10 in S mode also delivers more protections, as all applications are verified by Microsoft for security and performance.

The update also brings OneDrive Files Restore integration in Windows Defender, which should provide users with expanded ransomware protection. With the new feature, users can save their files to OneDrive and keep files safe from malware.

“If a ransomware threat is found on a device, Windows Defender will notify you of the threat, help you remove the ransomware from your device, and give you the option to use OneDrive Files Restore so you can recover your OneDrive files to the state they were in before the attack occurred,” Microsoft explains.

Office 365 Home subscribers, Office 365 Personal subscribers, and OneDrive for Business users can currently benefit from Files Restore, which allows them to restore their OneDrive to a previous point in time within the last 30 days.

Windows 10 April 2018 Update brings along a new Single Sign-On experience too. Now, users can sign into one Microsoft app or service on a device to be signed into all of them. Users can sign with a Microsoft account into Office 365 and use that account across a full range of Microsoft apps and services.

All Office 365 subscribers will benefit from this feature by June, Microsoft says. All they require is the April 2018 update installed and the latest version of Office. Users will be able to select which Microsoft apps they sign into.

“While all new accounts added will be able to opt into this by default, it can be extended to accounts you have already added as well. Just head to the Settings app, click ‘Accounts’ followed by ‘Email & app accounts’. Choose the account you added previously and select “Microsoft apps can sign me in” from the drop-down,” Microsoft explains.

The April 2018 Update also makes it easier for Microsoft account users to set up Windows Hello on their compatible devices, the company says. Previously, users had to dive deep into Settings to find Windows Hello, but the option to set up Windows Hello Face, Fingerprint or PIN is now accessible directly from the lock screen (by clicking the Windows Hello tile under Sign-in options).

via:  securityweek

Fitbit announced plans to utilize Google’s new Cloud Healthcare API, in order to continue its push into the world of serious healthcare devices. It’s a bit of a no-brainer as far as partnerships go.

Google announced Cloud for Healthcare, taking a major step into the world of health, which comprised around $3.3 trillion in U.S. spending in 2016 alone. Unchecked, that number is expected to balloon even further over the next several years.

For its part, the company is leveraging existing cloud offerings to create an information sharing infrastructure for the massive world of healthcare. In its earliest stages, Google partnered with medical facilities like the Stanford School of Medicine, so a deal with Fitbit should prove a solid step toward mainstreaming its offering.

For Fitbit, the deal means moving a step closer toward healthcare legitimacy. At a recent event, CEO James Park told us that health was set to comprise a big part of the consumer electronics company’s plans moving forward. It’s clear he wasn’t quite as all-in with Jawbone, which shuttered the consumer side entirely, but there’s definitely money to be made for a company that can make legitimate health tracking ubiquitous.

The plan is to offer a centralized stop for doctors to monitor both electronic medical records and regular monitoring from Fitbit’s devices. Recently acquired Twine Health, meanwhile, will help the company give more insight into issues like diabetes and hypertension.

No word yet on a timeline for when all of this will become widely available.

via:  techcrunch